Fedora Update for mozilla-noscript FEDORA-2018-09c51bbcec
2018-09-28T00:00:00
ID OPENVAS:1361412562310875103 Type openvas Reporter Copyright (C) 2018 Greenbone Networks GmbH Modified 2019-03-15T00:00:00
Description
The remote host is missing an update for the
###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_fedora_2018_09c51bbcec_mozilla-noscript_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $
#
# Fedora Update for mozilla-noscript FEDORA-2018-09c51bbcec
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.875103");
script_version("$Revision: 14223 $");
script_tag(name:"last_modification", value:"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $");
script_tag(name:"creation_date", value:"2018-09-28 13:33:40 +0200 (Fri, 28 Sep 2018)");
script_cve_id("CVE-2018-16983");
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_tag(name:"qod_type", value:"package");
script_name("Fedora Update for mozilla-noscript FEDORA-2018-09c51bbcec");
script_tag(name:"summary", value:"The remote host is missing an update for the 'mozilla-noscript'
package(s) announced via the referenced advisory.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present
on the target host.");
script_tag(name:"affected", value:"mozilla-noscript on Fedora 27");
script_tag(name:"solution", value:"Please install the updated packages.");
script_xref(name:"FEDORA", value:"2018-09c51bbcec");
script_xref(name:"URL", value:"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KIS6RN6NLLCQBMCOAI3ZQVQSUGX4LPNF");
script_tag(name:"solution_type", value:"VendorFix");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2018 Greenbone Networks GmbH");
script_family("Fedora Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms", re:"ssh/login/release=FC27");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = rpm_get_ssh_release();
if(!release)
exit(0);
res = "";
if(release == "FC27")
{
if ((res = isrpmvuln(pkg:"mozilla-noscript", rpm:"mozilla-noscript~10.1.9.6~1.fc27", rls:"FC27")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99);
exit(0);
}
{"id": "OPENVAS:1361412562310875103", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Update for mozilla-noscript FEDORA-2018-09c51bbcec", "description": "The remote host is missing an update for the ", "published": "2018-09-28T00:00:00", "modified": "2019-03-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875103", "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "references": ["2018-09c51bbcec", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KIS6RN6NLLCQBMCOAI3ZQVQSUGX4LPNF"], "cvelist": ["CVE-2018-16983"], "lastseen": "2019-05-29T18:33:10", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-16983"]}, {"type": "nessus", "idList": ["FEDORA_2018-E9821AFBCA.NASL", "FEDORA_2018-09C51BBCEC.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310875111"]}, {"type": "fedora", "idList": ["FEDORA:9D0DF60A7544", "FEDORA:02CD860157F1"]}], "modified": "2019-05-29T18:33:10", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2019-05-29T18:33:10", "rev": 2}, "vulnersScore": 6.0}, "pluginID": "1361412562310875103", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_09c51bbcec_mozilla-noscript_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for mozilla-noscript FEDORA-2018-09c51bbcec\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875103\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-09-28 13:33:40 +0200 (Fri, 28 Sep 2018)\");\n script_cve_id(\"CVE-2018-16983\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for mozilla-noscript FEDORA-2018-09c51bbcec\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mozilla-noscript'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n script_tag(name:\"affected\", value:\"mozilla-noscript on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-09c51bbcec\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KIS6RN6NLLCQBMCOAI3ZQVQSUGX4LPNF\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"mozilla-noscript\", rpm:\"mozilla-noscript~10.1.9.6~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Fedora Local Security Checks"}
{"cve": [{"lastseen": "2021-02-02T06:52:32", "description": "NoScript Classic before 5.1.8.7, as used in Tor Browser 7.x and other products, allows attackers to bypass script blocking via the text/html;/json Content-Type value.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-09-13T04:29:00", "title": "CVE-2018-16983", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-16983"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:torproject:tor_browser:7.0.11"], "id": "CVE-2018-16983", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16983", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:torproject:tor_browser:7.0.11:*:*:*:*:*:*:*"]}], "fedora": [{"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-16983"], "description": "The NoScript Firefox extension provides extra protection for Firefox. It allows JavaScript, Java, Flash and other plug-ins to be executed only by trusted web sites of your choice (e.g. your online bank) and additionally provides Anti-XSS protection. ", "modified": "2018-09-27T17:30:03", "published": "2018-09-27T17:30:03", "id": "FEDORA:02CD860157F1", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: mozilla-noscript-10.1.9.6-1.fc28", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-16983"], "description": "The NoScript Firefox extension provides extra protection for Firefox. It allows JavaScript, Java, Flash and other plug-ins to be executed only by trusted web sites of your choice (e.g. your online bank) and additionally provides Anti-XSS protection. ", "modified": "2018-09-27T16:18:18", "published": "2018-09-27T16:18:18", "id": "FEDORA:9D0DF60A7544", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: mozilla-noscript-10.1.9.6-1.fc27", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-07T10:15:52", "description": "Changes since 10.1.8.16: ===\n\nv 10.1.9.6\n=============================================================\n\n - [TB] Gracefully handle legacy external message\n recipients\n\n - [XSS] Updated known HTML5 events\n\n - Better IPV6 support\n\n - UI support for protocol-only entries\n\nv 10.1.9.5\n=============================================================\n\n - Fix for various content script timing related issues\n (thanks therube for reporting)\n\nv 10.1.9.4\n=============================================================\n\n - Prevent total breakages when policies accidentally map\n to invalid match patterns\n\n - Internal messaging dispatch better coping with multiple\n option windows\n\n - Avoid multiple CSP DOM insertions\n\nv 10.1.9.3\n=============================================================\n\n - Fixed message handling regression breaking embedders and\n causing potential internal message loops\n\nv 10.1.9.2\n=============================================================\n\n - More efficient window.name-based tab-scoped permissions\n persistence\n\n - Fixed URL parsing bugs\n\n - Fixed bug in requestKey generation\n\n - [Build] Enhanced TLD data update subsystem\n\n - [UI] CUSTOM presets gets initialized with currently\n applied preset, including temporary/permanent status\n\n - Improved internal message dispatching, avoiding\n potential race conditions\n\n - [L10n] Transifex integration\n\n - Work-around for DOM-injected CSP not being honored when\n appended to the root element, rather than HEAD\n\n - Transparent support for FQDNs\n\n - Better file: protocol support\n\n - Full-page placeholders for media/plugin documents\n\nv 10.1.9.1\n=============================================================\n\n - Fixed NOSCRIPT emulation not running in contexts where\n service workers are disabled, such as private windows\n (thanks Peter Wu for patch)\n\nv 10.1.9 =============================================================\n\n - Completely revamped CSP backend, enforcing policies both\n in webRequest and in the DOM\n\n - Reload-less service worker busting\n\n - removed obsoleted failsafes, including forced reloads\n\n - Better timing for popup UI feedback on permissions\n changes\n\n - Send out a 'started' message after initialization to\n help embedders (like the Tor browser) interact with\n NoScript\n\n - Updated TLDs\n\nv 10.1.8.23\n=============================================================\n\n - Hotfix for reload loops before CSP management\n refactoring\n\nv 10.1.8.22\n=============================================================\n\n - Fixed reload loop on unrestricted tabs (thanks random\n for reporting)\n\nv 10.1.8.20\n=============================================================\n\n - Fixed Sites.domainImplies() misplaced optimization.\n\n - [L10n] Added Catalan (ca)\n\nv 10.1.8.19\n=============================================================\n\n - Fixed onResponseHeader failing on session restore\n because of onBeforeRequest not having being called.\n\n - Fixed regression: framed documents' URLs not being\n reported in the UI (thanks xaex for report)\n\nv 10.1.8.18\n=============================================================\n\n - More resilient and optimized Sites.domainImplies()\n\n - Update ChildPolicies when automatic temp TRUST for\n top-level documents is enabled\n\n - Fixed messages from content scripts being 'eaten' by the\n wrong dispatcher when UI is open (thanks\n skriptimaahinen)\n\n - Fixed typo causing accidental permissions/status\n mismatches being checked only while pages are still\n loading (thanks skriptimaahinen)\n\n - Fixed typo in XSS name sanitization script injection\n (thanks skriptimaahinen)\n\nv 10.1.8.17\n=============================================================\n\n - Fix: Sites.domainImplies() should match subdomains\n\n - More coherent wrapper around the webex messaging API\n\n - Fixed inconsistencies affecting ChildPolicies content\n script auto-generated matching rules.\n\n - Fixed potential issues with cross-process messages\n\n - Simpler and more reliable safety net to ensure CSP\n headers are injected last among WebExtensions\n\n - Fixed regression causing refresh loops on pages which\n use type='object' requests to load images, css and other\n types\n\n - [L10n] ru and de translations\n\n - [XSS] Updated HTML events auto-generate matching code to\n use both latest Mozilla source code and archived data\n since Firefox ESR 52\n\n - New dynamic scripts management strategy based on the\n browser.contentScripts API, should fix some elusive,\n likely requestFilter-induced, bugs\n\n - Fixed no-dot domains threated as empty TLDs (thanks\n Peter Wu for patch)\n\n - Removed requestFilter hack for dynamic scripts\n management\n\n - [L10n] br and tr translations (thanks Transifex/OTF,\n https://www.transifex.com/otf/noscript/)\n\n - Best effort to have webRequest.onHeaderReceived listener\n run last (issue #6, thanks kkapsner)\n\n - [L10n] Localized 'NoScript Options' title (thanks\n Diklabyte)\n\n - Fixed inline scripts not being reported to UI (thanks\n skriptimaahinen for patch)\n\n - Skip non-content windows when deferring startup page\n loads (thanks Rob Wu for reporting)\n\n - Broader detection of UTF-8 encoding in responses (thanks\n Rob Wu for reporting)\n\n - Improved support for debugging code removal in releases\n\n - Fixed startup race condition with pending request\n tracking\n\n - Fixed updating NoScript reloads tabs with revoked\n temporary permissions.\n\nLegacy version: ===\n\nv 5.1.8.7\n=============================================================\n\n - [Security] Fixed script blocking bypass zero-day (thanks\n Zerodium for unresponsible disclosure,\n https://twitter.com/Zerodium/status/1039127214602641409)\n\n - [Surrogate] Fixed typo in 2mdn replacement (thansk\n barbaz)\n\n - [XSS] Fixed InjectionChecker choking at some big JSON\n payloads sents as POST form data\n\n - [XSS] In-depth protection against native ES6 modules\n abuse\n\n - Fixed classic beta channel users being accidentally\n migrated to stable (thanks barbaz)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-09-28T00:00:00", "title": "Fedora 27 : mozilla-noscript (2018-09c51bbcec)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-16983"], "modified": "2018-09-28T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:27", "p-cpe:/a:fedoraproject:fedora:mozilla-noscript"], "id": "FEDORA_2018-09C51BBCEC.NASL", "href": "https://www.tenable.com/plugins/nessus/117813", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-09c51bbcec.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117813);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-16983\");\n script_xref(name:\"FEDORA\", value:\"2018-09c51bbcec\");\n\n script_name(english:\"Fedora 27 : mozilla-noscript (2018-09c51bbcec)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Changes since 10.1.8.16: ===\n\nv 10.1.9.6\n=============================================================\n\n - [TB] Gracefully handle legacy external message\n recipients\n\n - [XSS] Updated known HTML5 events\n\n - Better IPV6 support\n\n - UI support for protocol-only entries\n\nv 10.1.9.5\n=============================================================\n\n - Fix for various content script timing related issues\n (thanks therube for reporting)\n\nv 10.1.9.4\n=============================================================\n\n - Prevent total breakages when policies accidentally map\n to invalid match patterns\n\n - Internal messaging dispatch better coping with multiple\n option windows\n\n - Avoid multiple CSP DOM insertions\n\nv 10.1.9.3\n=============================================================\n\n - Fixed message handling regression breaking embedders and\n causing potential internal message loops\n\nv 10.1.9.2\n=============================================================\n\n - More efficient window.name-based tab-scoped permissions\n persistence\n\n - Fixed URL parsing bugs\n\n - Fixed bug in requestKey generation\n\n - [Build] Enhanced TLD data update subsystem\n\n - [UI] CUSTOM presets gets initialized with currently\n applied preset, including temporary/permanent status\n\n - Improved internal message dispatching, avoiding\n potential race conditions\n\n - [L10n] Transifex integration\n\n - Work-around for DOM-injected CSP not being honored when\n appended to the root element, rather than HEAD\n\n - Transparent support for FQDNs\n\n - Better file: protocol support\n\n - Full-page placeholders for media/plugin documents\n\nv 10.1.9.1\n=============================================================\n\n - Fixed NOSCRIPT emulation not running in contexts where\n service workers are disabled, such as private windows\n (thanks Peter Wu for patch)\n\nv 10.1.9 =============================================================\n\n - Completely revamped CSP backend, enforcing policies both\n in webRequest and in the DOM\n\n - Reload-less service worker busting\n\n - removed obsoleted failsafes, including forced reloads\n\n - Better timing for popup UI feedback on permissions\n changes\n\n - Send out a 'started' message after initialization to\n help embedders (like the Tor browser) interact with\n NoScript\n\n - Updated TLDs\n\nv 10.1.8.23\n=============================================================\n\n - Hotfix for reload loops before CSP management\n refactoring\n\nv 10.1.8.22\n=============================================================\n\n - Fixed reload loop on unrestricted tabs (thanks random\n for reporting)\n\nv 10.1.8.20\n=============================================================\n\n - Fixed Sites.domainImplies() misplaced optimization.\n\n - [L10n] Added Catalan (ca)\n\nv 10.1.8.19\n=============================================================\n\n - Fixed onResponseHeader failing on session restore\n because of onBeforeRequest not having being called.\n\n - Fixed regression: framed documents' URLs not being\n reported in the UI (thanks xaex for report)\n\nv 10.1.8.18\n=============================================================\n\n - More resilient and optimized Sites.domainImplies()\n\n - Update ChildPolicies when automatic temp TRUST for\n top-level documents is enabled\n\n - Fixed messages from content scripts being 'eaten' by the\n wrong dispatcher when UI is open (thanks\n skriptimaahinen)\n\n - Fixed typo causing accidental permissions/status\n mismatches being checked only while pages are still\n loading (thanks skriptimaahinen)\n\n - Fixed typo in XSS name sanitization script injection\n (thanks skriptimaahinen)\n\nv 10.1.8.17\n=============================================================\n\n - Fix: Sites.domainImplies() should match subdomains\n\n - More coherent wrapper around the webex messaging API\n\n - Fixed inconsistencies affecting ChildPolicies content\n script auto-generated matching rules.\n\n - Fixed potential issues with cross-process messages\n\n - Simpler and more reliable safety net to ensure CSP\n headers are injected last among WebExtensions\n\n - Fixed regression causing refresh loops on pages which\n use type='object' requests to load images, css and other\n types\n\n - [L10n] ru and de translations\n\n - [XSS] Updated HTML events auto-generate matching code to\n use both latest Mozilla source code and archived data\n since Firefox ESR 52\n\n - New dynamic scripts management strategy based on the\n browser.contentScripts API, should fix some elusive,\n likely requestFilter-induced, bugs\n\n - Fixed no-dot domains threated as empty TLDs (thanks\n Peter Wu for patch)\n\n - Removed requestFilter hack for dynamic scripts\n management\n\n - [L10n] br and tr translations (thanks Transifex/OTF,\n https://www.transifex.com/otf/noscript/)\n\n - Best effort to have webRequest.onHeaderReceived listener\n run last (issue #6, thanks kkapsner)\n\n - [L10n] Localized 'NoScript Options' title (thanks\n Diklabyte)\n\n - Fixed inline scripts not being reported to UI (thanks\n skriptimaahinen for patch)\n\n - Skip non-content windows when deferring startup page\n loads (thanks Rob Wu for reporting)\n\n - Broader detection of UTF-8 encoding in responses (thanks\n Rob Wu for reporting)\n\n - Improved support for debugging code removal in releases\n\n - Fixed startup race condition with pending request\n tracking\n\n - Fixed updating NoScript reloads tabs with revoked\n temporary permissions.\n\nLegacy version: ===\n\nv 5.1.8.7\n=============================================================\n\n - [Security] Fixed script blocking bypass zero-day (thanks\n Zerodium for unresponsible disclosure,\n https://twitter.com/Zerodium/status/1039127214602641409)\n\n - [Surrogate] Fixed typo in 2mdn replacement (thansk\n barbaz)\n\n - [XSS] Fixed InjectionChecker choking at some big JSON\n payloads sents as POST form data\n\n - [XSS] In-depth protection against native ES6 modules\n abuse\n\n - Fixed classic beta channel users being accidentally\n migrated to stable (thanks barbaz)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-09c51bbcec\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mozilla-noscript package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mozilla-noscript\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"mozilla-noscript-10.1.9.6-1.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mozilla-noscript\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:22:07", "description": "Changes since 10.1.8.16: ===\n\nv 10.1.9.6\n=============================================================\n\n - [TB] Gracefully handle legacy external message\n recipients\n\n - [XSS] Updated known HTML5 events\n\n - Better IPV6 support\n\n - UI support for protocol-only entries\n\nv 10.1.9.5\n=============================================================\n\n - Fix for various content script timing related issues\n (thanks therube for reporting)\n\nv 10.1.9.4\n=============================================================\n\n - Prevent total breakages when policies accidentally map\n to invalid match patterns\n\n - Internal messaging dispatch better coping with multiple\n option windows\n\n - Avoid multiple CSP DOM insertions\n\nv 10.1.9.3\n=============================================================\n\n - Fixed message handling regression breaking embedders and\n causing potential internal message loops\n\nv 10.1.9.2\n=============================================================\n\n - More efficient window.name-based tab-scoped permissions\n persistence\n\n - Fixed URL parsing bugs\n\n - Fixed bug in requestKey generation\n\n - [Build] Enhanced TLD data update subsystem\n\n - [UI] CUSTOM presets gets initialized with currently\n applied preset, including temporary/permanent status\n\n - Improved internal message dispatching, avoiding\n potential race conditions\n\n - [L10n] Transifex integration\n\n - Work-around for DOM-injected CSP not being honored when\n appended to the root element, rather than HEAD\n\n - Transparent support for FQDNs\n\n - Better file: protocol support\n\n - Full-page placeholders for media/plugin documents\n\nv 10.1.9.1\n=============================================================\n\n - Fixed NOSCRIPT emulation not running in contexts where\n service workers are disabled, such as private windows\n (thanks Peter Wu for patch)\n\nv 10.1.9 =============================================================\n\n - Completely revamped CSP backend, enforcing policies both\n in webRequest and in the DOM\n\n - Reload-less service worker busting\n\n - removed obsoleted failsafes, including forced reloads\n\n - Better timing for popup UI feedback on permissions\n changes\n\n - Send out a 'started' message after initialization to\n help embedders (like the Tor browser) interact with\n NoScript\n\n - Updated TLDs\n\nv 10.1.8.23\n=============================================================\n\n - Hotfix for reload loops before CSP management\n refactoring\n\nv 10.1.8.22\n=============================================================\n\n - Fixed reload loop on unrestricted tabs (thanks random\n for reporting)\n\nv 10.1.8.20\n=============================================================\n\n - Fixed Sites.domainImplies() misplaced optimization.\n\n - [L10n] Added Catalan (ca)\n\nv 10.1.8.19\n=============================================================\n\n - Fixed onResponseHeader failing on session restore\n because of onBeforeRequest not having being called.\n\n - Fixed regression: framed documents' URLs not being\n reported in the UI (thanks xaex for report)\n\nv 10.1.8.18\n=============================================================\n\n - More resilient and optimized Sites.domainImplies()\n\n - Update ChildPolicies when automatic temp TRUST for\n top-level documents is enabled\n\n - Fixed messages from content scripts being 'eaten' by the\n wrong dispatcher when UI is open (thanks\n skriptimaahinen)\n\n - Fixed typo causing accidental permissions/status\n mismatches being checked only while pages are still\n loading (thanks skriptimaahinen)\n\n - Fixed typo in XSS name sanitization script injection\n (thanks skriptimaahinen)\n\nv 10.1.8.17\n=============================================================\n\n - Fix: Sites.domainImplies() should match subdomains\n\n - More coherent wrapper around the webex messaging API\n\n - Fixed inconsistencies affecting ChildPolicies content\n script auto-generated matching rules.\n\n - Fixed potential issues with cross-process messages\n\n - Simpler and more reliable safety net to ensure CSP\n headers are injected last among WebExtensions\n\n - Fixed regression causing refresh loops on pages which\n use type='object' requests to load images, css and other\n types\n\n - [L10n] ru and de translations\n\n - [XSS] Updated HTML events auto-generate matching code to\n use both latest Mozilla source code and archived data\n since Firefox ESR 52\n\n - New dynamic scripts management strategy based on the\n browser.contentScripts API, should fix some elusive,\n likely requestFilter-induced, bugs\n\n - Fixed no-dot domains threated as empty TLDs (thanks\n Peter Wu for patch)\n\n - Removed requestFilter hack for dynamic scripts\n management\n\n - [L10n] br and tr translations (thanks Transifex/OTF,\n https://www.transifex.com/otf/noscript/)\n\n - Best effort to have webRequest.onHeaderReceived listener\n run last (issue #6, thanks kkapsner)\n\n - [L10n] Localized 'NoScript Options' title (thanks\n Diklabyte)\n\n - Fixed inline scripts not being reported to UI (thanks\n skriptimaahinen for patch)\n\n - Skip non-content windows when deferring startup page\n loads (thanks Rob Wu for reporting)\n\n - Broader detection of UTF-8 encoding in responses (thanks\n Rob Wu for reporting)\n\n - Improved support for debugging code removal in releases\n\n - Fixed startup race condition with pending request\n tracking\n\n - Fixed updating NoScript reloads tabs with revoked\n temporary permissions.\n\nLegacy version: ===\n\nv 5.1.8.7\n=============================================================\n\n - [Security] Fixed script blocking bypass zero-day (thanks\n Zerodium for unresponsible disclosure,\n https://twitter.com/Zerodium/status/1039127214602641409)\n\n - [Surrogate] Fixed typo in 2mdn replacement (thansk\n barbaz)\n\n - [XSS] Fixed InjectionChecker choking at some big JSON\n payloads sents as POST form data\n\n - [XSS] In-depth protection against native ES6 modules\n abuse\n\n - Fixed classic beta channel users being accidentally\n migrated to stable (thanks barbaz)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 12, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-01-03T00:00:00", "title": "Fedora 28 : mozilla-noscript (2018-e9821afbca)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-16983"], "modified": "2019-01-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:mozilla-noscript", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-E9821AFBCA.NASL", "href": "https://www.tenable.com/plugins/nessus/120875", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-e9821afbca.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120875);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-16983\");\n script_xref(name:\"FEDORA\", value:\"2018-e9821afbca\");\n\n script_name(english:\"Fedora 28 : mozilla-noscript (2018-e9821afbca)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Changes since 10.1.8.16: ===\n\nv 10.1.9.6\n=============================================================\n\n - [TB] Gracefully handle legacy external message\n recipients\n\n - [XSS] Updated known HTML5 events\n\n - Better IPV6 support\n\n - UI support for protocol-only entries\n\nv 10.1.9.5\n=============================================================\n\n - Fix for various content script timing related issues\n (thanks therube for reporting)\n\nv 10.1.9.4\n=============================================================\n\n - Prevent total breakages when policies accidentally map\n to invalid match patterns\n\n - Internal messaging dispatch better coping with multiple\n option windows\n\n - Avoid multiple CSP DOM insertions\n\nv 10.1.9.3\n=============================================================\n\n - Fixed message handling regression breaking embedders and\n causing potential internal message loops\n\nv 10.1.9.2\n=============================================================\n\n - More efficient window.name-based tab-scoped permissions\n persistence\n\n - Fixed URL parsing bugs\n\n - Fixed bug in requestKey generation\n\n - [Build] Enhanced TLD data update subsystem\n\n - [UI] CUSTOM presets gets initialized with currently\n applied preset, including temporary/permanent status\n\n - Improved internal message dispatching, avoiding\n potential race conditions\n\n - [L10n] Transifex integration\n\n - Work-around for DOM-injected CSP not being honored when\n appended to the root element, rather than HEAD\n\n - Transparent support for FQDNs\n\n - Better file: protocol support\n\n - Full-page placeholders for media/plugin documents\n\nv 10.1.9.1\n=============================================================\n\n - Fixed NOSCRIPT emulation not running in contexts where\n service workers are disabled, such as private windows\n (thanks Peter Wu for patch)\n\nv 10.1.9 =============================================================\n\n - Completely revamped CSP backend, enforcing policies both\n in webRequest and in the DOM\n\n - Reload-less service worker busting\n\n - removed obsoleted failsafes, including forced reloads\n\n - Better timing for popup UI feedback on permissions\n changes\n\n - Send out a 'started' message after initialization to\n help embedders (like the Tor browser) interact with\n NoScript\n\n - Updated TLDs\n\nv 10.1.8.23\n=============================================================\n\n - Hotfix for reload loops before CSP management\n refactoring\n\nv 10.1.8.22\n=============================================================\n\n - Fixed reload loop on unrestricted tabs (thanks random\n for reporting)\n\nv 10.1.8.20\n=============================================================\n\n - Fixed Sites.domainImplies() misplaced optimization.\n\n - [L10n] Added Catalan (ca)\n\nv 10.1.8.19\n=============================================================\n\n - Fixed onResponseHeader failing on session restore\n because of onBeforeRequest not having being called.\n\n - Fixed regression: framed documents' URLs not being\n reported in the UI (thanks xaex for report)\n\nv 10.1.8.18\n=============================================================\n\n - More resilient and optimized Sites.domainImplies()\n\n - Update ChildPolicies when automatic temp TRUST for\n top-level documents is enabled\n\n - Fixed messages from content scripts being 'eaten' by the\n wrong dispatcher when UI is open (thanks\n skriptimaahinen)\n\n - Fixed typo causing accidental permissions/status\n mismatches being checked only while pages are still\n loading (thanks skriptimaahinen)\n\n - Fixed typo in XSS name sanitization script injection\n (thanks skriptimaahinen)\n\nv 10.1.8.17\n=============================================================\n\n - Fix: Sites.domainImplies() should match subdomains\n\n - More coherent wrapper around the webex messaging API\n\n - Fixed inconsistencies affecting ChildPolicies content\n script auto-generated matching rules.\n\n - Fixed potential issues with cross-process messages\n\n - Simpler and more reliable safety net to ensure CSP\n headers are injected last among WebExtensions\n\n - Fixed regression causing refresh loops on pages which\n use type='object' requests to load images, css and other\n types\n\n - [L10n] ru and de translations\n\n - [XSS] Updated HTML events auto-generate matching code to\n use both latest Mozilla source code and archived data\n since Firefox ESR 52\n\n - New dynamic scripts management strategy based on the\n browser.contentScripts API, should fix some elusive,\n likely requestFilter-induced, bugs\n\n - Fixed no-dot domains threated as empty TLDs (thanks\n Peter Wu for patch)\n\n - Removed requestFilter hack for dynamic scripts\n management\n\n - [L10n] br and tr translations (thanks Transifex/OTF,\n https://www.transifex.com/otf/noscript/)\n\n - Best effort to have webRequest.onHeaderReceived listener\n run last (issue #6, thanks kkapsner)\n\n - [L10n] Localized 'NoScript Options' title (thanks\n Diklabyte)\n\n - Fixed inline scripts not being reported to UI (thanks\n skriptimaahinen for patch)\n\n - Skip non-content windows when deferring startup page\n loads (thanks Rob Wu for reporting)\n\n - Broader detection of UTF-8 encoding in responses (thanks\n Rob Wu for reporting)\n\n - Improved support for debugging code removal in releases\n\n - Fixed startup race condition with pending request\n tracking\n\n - Fixed updating NoScript reloads tabs with revoked\n temporary permissions.\n\nLegacy version: ===\n\nv 5.1.8.7\n=============================================================\n\n - [Security] Fixed script blocking bypass zero-day (thanks\n Zerodium for unresponsible disclosure,\n https://twitter.com/Zerodium/status/1039127214602641409)\n\n - [Surrogate] Fixed typo in 2mdn replacement (thansk\n barbaz)\n\n - [XSS] Fixed InjectionChecker choking at some big JSON\n payloads sents as POST form data\n\n - [XSS] In-depth protection against native ES6 modules\n abuse\n\n - Fixed classic beta channel users being accidentally\n migrated to stable (thanks barbaz)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-e9821afbca\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mozilla-noscript package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mozilla-noscript\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"mozilla-noscript-10.1.9.6-1.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mozilla-noscript\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:32:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-16983"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310875111", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875111", "type": "openvas", "title": "Fedora Update for mozilla-noscript FEDORA-2018-e9821afbca", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_e9821afbca_mozilla-noscript_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for mozilla-noscript FEDORA-2018-e9821afbca\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875111\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-09-28 13:35:19 +0200 (Fri, 28 Sep 2018)\");\n script_cve_id(\"CVE-2018-16983\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for mozilla-noscript FEDORA-2018-e9821afbca\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mozilla-noscript'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n script_tag(name:\"affected\", value:\"mozilla-noscript on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-e9821afbca\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CI4Z4LF6O6TNXTHP7D5TN6UZDNBN2VP\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"mozilla-noscript\", rpm:\"mozilla-noscript~10.1.9.6~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}